Docker workflow to build and push image

[Harish-Naruto]

Summary by CodeRabbit

• Chores
  • Added automated Docker image build and deployment pipeline that runs on code changes to the main branch, enabling faster and more reliable container image releases.

[coderabbitai]

Warning

Review limit reached

@Harish-Naruto, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 29 minutes and 16 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses rolling per-developer review limits. Reviews become available again as older review attempts age out of the rolling limit window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 253e1a30-9487-4980-936b-3cb01dba9794

📥 Commits

Reviewing files that changed from the base of the PR and between 40da583 and a2ea3c0.

📒 Files selected for processing (1)

• .github/workflows/docker-image.yml

📝 Walkthrough

Walkthrough

A GitHub Actions workflow file is added at .github/workflows/docker-image.yml. It triggers on pushes and pull requests targeting main, authenticates to Docker Hub using repository secrets, and builds and pushes the callofcode07/coc-api:latest Docker image using docker/build-push-action@v6, with the push step gated to push events only.

Changes

Docker Image CI Pipeline

Layer / File(s)	Summary
Docker build-and-push workflow .github/workflows/docker-image.yml	Adds a full CI workflow that triggers on main push/PR events, checks out the repository, logs into Docker Hub via DOCKER_USERNAME/DOCKER_PASSWORD secrets, and builds and pushes the callofcode07/coc-api:latest image from ./Dockerfile; the push step runs only on push events, not on pull requests.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested reviewers

• callofcode07

Poem

🐇 Hippity-hop, a workflow appears,
Pushing Docker images, calming CI fears!
On every push to main, the container sails,
Built and tagged with care, no broken trails.
The rabbit approves — deploy without wails! 🐳

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately describes the main change: adding a GitHub Actions workflow to build and push Docker images.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docker-worflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/docker-image.yml (1)

29-29: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add an immutable image tag alongside latest.

Only pushing :latest (Line 29) makes rollback/auditability harder. Add a commit-SHA tag in addition to latest for reproducible deployments.

Suggested refactor

       - name: Build and push Docker image
         uses: docker/build-push-action@v6
         with:
           context: .
           file: ./Dockerfile
           push: ${{ github.event_name == 'push' }}
-          tags: callofcode07/coc-api:latest
+          tags: |
+            callofcode07/coc-api:latest
+            callofcode07/coc-api:${{ github.sha }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docker-image.yml at line 29, In the docker-image.yml
workflow file, locate the tags configuration where callofcode07/coc-api:latest
is specified and add an additional immutable tag using the commit SHA alongside
it. Modify the tags line to include both the latest tag and a commit-based tag
(e.g., using ${{ github.sha }}) so that each build is tagged with both latest
for current deployment and a unique SHA-based identifier for reproducibility and
rollback capabilities.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/docker-image.yml:
- Around line 17-21: The "Log in to Docker Hub" step at lines 17-21 runs on all
events including pull request runs, but Docker secrets are unavailable in
fork-based PRs causing CI failures. Add a conditional gate to this step using an
`if` statement to only execute on push events (not on pull_request events),
similar to how the push operation is already guarded later in the workflow. This
ensures Docker Hub login credentials are only used when secrets are actually
available.
- Around line 14-24: Replace the version tags in all three GitHub Actions with
immutable commit SHAs to prevent supply-chain risk: update actions/checkout from
`@v4` to its specific commit SHA, update docker/login-action from `@v3` to its
commit SHA, and update docker/build-push-action from `@v6` to its commit SHA. Add
persist-credentials: false as a parameter under the with section of the Checkout
repository step to prevent GitHub token exposure to subsequent steps. Add an if
condition to the Log in to Docker Hub step with the value github.event_name ==
'push' to prevent authentication failures when the workflow runs on forked pull
requests where secrets are unavailable.

---

Nitpick comments:
In @.github/workflows/docker-image.yml:
- Line 29: In the docker-image.yml workflow file, locate the tags configuration
where callofcode07/coc-api:latest is specified and add an additional immutable
tag using the commit SHA alongside it. Modify the tags line to include both the
latest tag and a commit-based tag (e.g., using ${{ github.sha }}) so that each
build is tagged with both latest for current deployment and a unique SHA-based
identifier for reproducibility and rollback capabilities.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2af3dcba-a4f4-453d-bbd7-e96984af62ab

📥 Commits

Reviewing files that changed from the base of the PR and between 6cae6e6 and 40da583.

📒 Files selected for processing (1)

• .github/workflows/docker-image.yml

[coderabbitai]

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, locate and examine the workflow file
find . -name "docker-image.yml" -type f

Repository: call-0f-code/COC-API

Length of output: 195

---

🏁 Script executed:

# Check the full content of the workflow file to understand context
cat -n .github/workflows/docker-image.yml

Repository: call-0f-code/COC-API

Length of output: 1035

---

🏁 Script executed:

# Verify the specific lines mentioned (14-24) and surrounding context
sed -n '1,30p' .github/workflows/docker-image.yml | cat -n

Repository: call-0f-code/COC-API

Length of output: 1035

---

Pin all GitHub Actions to commit SHAs and disable checkout credential persistence.

All three actions (checkout, docker/login-action, and docker/build-push-action) use tag refs instead of immutable commit SHAs, creating supply-chain risk if tags are reassigned. Additionally, the checkout action omits persist-credentials: false, leaving the GitHub token available to subsequent steps unnecessarily.

Suggested hardening diff

       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@<FULL_LENGTH_COMMIT_SHA>
+        with:
+          persist-credentials: false

       - name: Log in to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@<FULL_LENGTH_COMMIT_SHA>

       - name: Build and push Docker image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@<FULL_LENGTH_COMMIT_SHA>

Note: The Docker Hub login step runs on both push and pull_request events, but will fail on forked PRs due to unavailable secrets. Consider adding if: github.event_name == 'push' to the login step to prevent unnecessary failures.

🧰 Tools

🪛 zizmor (1.26.1)

[warning] 14-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docker-image.yml around lines 14 - 24, Replace the version
tags in all three GitHub Actions with immutable commit SHAs to prevent
supply-chain risk: update actions/checkout from `@v4` to its specific commit SHA,
update docker/login-action from `@v3` to its commit SHA, and update
docker/build-push-action from `@v6` to its commit SHA. Add persist-credentials:
false as a parameter under the with section of the Checkout repository step to
prevent GitHub token exposure to subsequent steps. Add an if condition to the
Log in to Docker Hub step with the value github.event_name == 'push' to prevent
authentication failures when the workflow runs on forked pull requests where
secrets are unavailable.

Source: Linters/SAST tools